security secret server launchers

IBM® Security Secret ServerLaunchersIBM SECURITY SUPPORT OPEN MIC

NOTICE: BY PARTICIPATING IN THIS CALL, YOU GIVE YOUR IRREVOCABLE CONSENTTO IBM TO RECORD ANY STATEMENTS THAT YOU MAY MAKE DURING THE CALL, AS WELL AS TO IBM’S USE OF SUCH RECORDING IN ANY AND ALL MEDIA, INCLUDINGFOR VIDEO POSTINGS ON YOUTUBE. IF YOU OBJECT, PLEASE DO NOT CONNECTTO THIS CALL.June 12, 2019

2 IBM Security

IBM VIP Rewards is a way to engage with and recognize the ways that you, the client, add value to IBM. Complete fun challenges and get rewarded for interacting with IBM, learning new technologies and sharing your knowledge.

Announcing IBM VIP Rewards

Engage. Earn points. Get Rewards.

Learn more…ibm.biz/vip-rewards

Join IBM VIP Rewards for Security…ibm.biz/JoinIBMVIPRewards-Security

3 IBM Security

Name – role in IBMName – role in IBMName – role in IBMName – role in IBM

Name – Moderator - role in IBM

IBM Security Learning Academy

• Courses• Videos • Hands-on Labs • Live Events• Badges

Learning at no cost.

New content published daily.

4 IBM Security

Panelists

Jensen Toma – Presenter – L2 Support

Dan Barto – Moderator – L2 ManagerGrey Thrasher – L2 Team LeadDaryl Romano – L2 SupportMohammad Khan – L2 SupportGary Sedler – L2 Support

5 IBM Security

Agenda

• What are Launchers?

• Launcher Types̶ Remote Desktop, PuTTY, Web, Custom

• Session Management

• SSH Proxy̶ SSH Command Menus

• Live Demo

• Troubleshooting tips

• Q&A

6 IBM Security

What are Launchers?

• Secret Server launchers open a connection to a remote computer or device or logs into a website using the secret’s credentials directly from the webpage̶ Convenient and easy to use̶ Circumvents the user having to know the password̶ Launchers only work on Windows and Mac clients

7 IBM Security

Enabling Launchers

• By default, launchers are enabled̶ Administration > Configuration

8 IBM Security

Enabling Launchers

• Microsoft ClickOnce technology̶ https://docs.microsoft.com/en-us/visualstudio/deployment/clickonce-security-and-deployment?view=vs-2019̶ Applicable if majority of users use Internet Explorer

• Protocol Handler (default)̶ Recommended if Firefox and Chrome are used

9 IBM Security

Enabling Launchers

• Launcher Tools̶ Tools > Launcher Tools

10 IBM Security

Types of Launchers

• Admin -> Secret Templates > Click on “Configure Launchers”

11 IBM Security

Types of Launchers

• You can disable individual launchers by clicking on the launcher name, edit, then removing the checkbox in the ”Active” field

• You can also change the launcher name if you prefer to use something else

12 IBM Security

Remote Desktop Launcher

• Initiates an RDP connection to a target machine

13 IBM Security

Putty Launcher

• Initiates an SSH session to a UNIX/Linux device

14 IBM Security

Web Password Filler

• Opens a web page and injects login credentials

15 IBM Security

Custom Launcher

• Custom Launcher for TOAD

16 IBM Security

Custom Launcher

• Admin > Secret Templates > Configure Launchers > New

17 IBM Security

Session Management

• Admins can terminate active sessions that were initiated thru a launcher

18 IBM Security

Session Management

• The same functionality can be used to send a message to the user

19 IBM Security

SSH Proxy

• RDP and SSH sessions will be proxied thru the Secret Server̶ Admin > SSH Proxy

• Distributed Engines can also be used as a proxy for greater network flexibility

20 IBM Security

SSH Command Menus

• Can be enabled to restrict the commands available to a user̶ Requires that SSH Proxy be enabled̶ Creates a menu of commands that can be run

• No other commands are available to the user

Live Demonstration

Troubleshooting Tips

23 IBM Security

Requirements

• .NET Framework 4.5.1

• Workstation must trust the SSL certificate installed on the IIS server protecting Secret Server̶ If the SSL cert and/or signer certs are not trusted, launchers will fail and return an error

24 IBM Security

Items to Double Check

• Protocol Handler is installed to: ̶ C:\Program Files\Thycotic Software Ltd\Secret Server Protocol Handler

• Double check that Firefox / Chrome add-ons are installed and enabled

25 IBM Security

Common Error Messages

• The Secret Server Launcher failed to load. Exception: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel̶ Verify that the Secret Server SSL cert and/or signer certs are trusted by the workstation

• The process (process name) was not found̶ The application is not installed on the machine. If the application is installed, the folder location should be added to

the path.

• The stub received bad data (1783)̶ The process is set to launch using the credentials of the secret but the username or domain is incorrect.

26 IBM Security

Protocol Handler Logging

• To enable logging of the Protocol Handler, edit:̶ C:\Program Files\Thycotic Software Ltd\Secret Server Protocol Handler\RDPWin.exe.config

27 IBM Security

Questions and AnswersQ: For RDP, can we restrict the connection to local disk or other resources?

A: I believe those are RDP client itself....so you might be able to accomplish the same with custom launcher that executes mstsc with some command options to restrict to local disks. There is an option on the Windows AD Secret(s) (in "Personalize" tab) to "Allow Access to Drives", which might be what you're looking for as well.

Q: SSH Proxy is a way to implement a bastion or Jump server?A: You could use Distributed Engine(s) on other servers, for SSH Proxy(s). But yes...this would allow for more control over the access from client to endpoints, especially useful for offsite workers and/or access to systems in different network segments/behind firewalls etc. (typically not accessible directly from clients)

Q: Equivalent function for the other protocols?A: SSH and RDP supported.

Q: When will the “ssh command blacklisting” will be added? user can use any commands, except those that are on the black list.A: That would be a question for Product Management. If required, please submit a Request For Enhancement here: https://www.ibm.com/developerworks/rfe/

Q: Do you know if SAPlogon has been managed with a custom launcher with success?A: I believe I've heard of some customers/partners creating SAP custom launchers, but I have no details. I found someone had used the SHORTCUT parameters for sapgui.exe to accomplish this.

28 IBM Security

Where do you get more information?Search first, then ask in the new IBM Support Forum: http://ibm.biz/SecretServer-SupportForum

More information:• Security Learning Academy: http://ibm.biz/ISSS-LearningAcademy• IBM Knowledge Center: https://www.ibm.com/support/knowledgecenter/en/SSWHLP_10.6.0/com.ibm.isss.doc/kc-

homepage.html• IBM Security Secret Server Support: https://ibm.biz/SecretServerSupport

Useful links:Get started with IBM Security Support

IBM My Support | Sign up for “My Notifications”FREE learning resources on the Security Learning Academy

ibm.com/security/community

Follow us:

www.youtube.com/user/IBMSecuritySupport twitter.com/askibmsecurity http://ibm.biz/ISCS-LinkedIn

© Copyright IBM Corporation 2019. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.

FOLLOW US ON:

THANK YOU

xforce.ibmcloud.com

@askibmsecurity

youtube/user/IBMSecuritySupport

securityintelligence.com

SecurityLearningAcademy.com

ibm.com/security/community

IBM Security Client Success